RU2731467C1 - Method for early detection of destructive effects of botnet on a communication network - Google Patents

Abstract

FIELD: information technology.SUBSTANCE: invention relates to systems for determining computer attacks on communication networks using Internet resources. Technical problem is solved due to the early detection method of Botnet destructive actions on the communication network, in which by analyzing the information stream arriving at the pre-infected personal computer, determining the type and target of Botnet actions, on the basis of which measures are taken to advance activation of means and methods of counteracting destructive action.EFFECT: technical result is reduced time for making a decision to counteract destructive effect on a communication network from Botnet due to identification of the beginning of destructive effect at the stage of Botnet preparation for action.1 cl, 3 dwg

Description

The invention relates to systems for detecting computer attacks on communication networks using Internet resources.

Bot is a special application that performs automatically and / or according to a specified schedule any actions through interfaces designed for interaction with a person ([Electronic resource] URL: https://www.kaspersky.ru/resource-center/threats/botnet- attacks).

Botnet is a network of infected computers remotely controlled by cybercriminals for the purpose of carrying out various destructive actions ([Electronic resource] URL: https://www.kaspersky.ru/resource-center/threats/botnet-attacks).

Known "System and method for detecting targeted attacks on corporate infrastructure" (RF patent No. 2587426, G06F 21/00 (2013.01), publ. 06/20/2016 Bulletin No. 17), which consists in the fact that, using a means of detecting suspicious objects, they receive information about at least one object on the computing device; analyzing information about the object using the suspicious object detection tool, while determining whether the analyzed object is suspicious or not based on a set of heuristic rules used by the suspicious object detection tool; using the suspicious object detection tool, collect information about the object, if it was found suspicious at a stage earlier; send a request to transfer a potentially malicious object; in this case, the recognition of a suspicious object as potentially harmful in accordance with heuristic rules is carried out by comparing information about the analyzed object and information about objects stored in the database of malicious objects and the database of safe objects; receive a request from the object analysis tool to transfer a potentially malicious object using the suspicious object detection tool; using the security policy enforcement tool to determine whether a potentially malicious object can be passed to the object analyzer; at the same time, if the transfer of a potentially malicious object is prohibited in accordance with the used security policies, the tool for compliance with security policies prohibits the transfer of a potentially malicious object to the object analyzer, otherwise the transfer is allowed; analyze the received potentially malicious object using an object analysis tool, while determining whether the degree of similarity of a potentially malicious object with an object from the database of malicious objects exceeds a predetermined threshold, and if the degree of similarity of a potentially malicious object with an object from the database of these malicious objects exceeds a predetermined threshold, then the said object is considered malicious.

Known "System and method for detecting signs of a computer attack" RF patent No. 2661533, G06F 21/55 (2013.01), publ. 17.07.2018 Bul. No. 20), which consists in the fact that, using at least one security means located in the information system, collect information about at least one object on the computer, including, in particular, information about the said security means and collected information about the object, while the detection tool stores the received security notification in the object database; find one object contained in the received security notification in the threat database; add in the object database to the mentioned object a label corresponding to the mentioned object in the threat database; searching for signs of suspicious activity contained in the database of suspicious activity based on the received security notification and added object labels contained in said security notification; when a sign of suspicious activity is found, add a label contained in the suspicious activity database to the security notification; detecting signs of a computer attack by detecting, one signature of computer attacks from the database of computer attacks among the received objects, and security notifications, and labels of said objects, and labels of security notifications from the database of objects; when a sign of suspicious activity is found, additionally add a tag from the database of suspicious activity to the protection device contained in the said security notification, and when detecting a computer attack, additionally based on a comparison of the set labels to the said protection tool with signatures of computer attacks from the targeted attacks database; when adding to the security notification a label indicating the need to provide one object contained in the security notification, or additional information about the specified object, the discovery tool requests the object or additional information about the specified object, while after receiving the requested object from the security tool, or additional information about the specified object; search the object database among the objects contained on two computers for the virus signature from the threat database and, if the virus signature matches the object database records, determine the object as malicious and add a label to the object in the object database indicating that that the object is malicious; generate a security notification for a detected malicious object, containing information about the object and information about protection means on the computers of which the object is contained.

The closest in technical essence and functions performed by an analogue (prototype) to the claimed method is "A method of using options for countering network and streaming computer intelligence, and network attacks, and a system that implements it" RF patent No. 2682108, G06F 21/60 (2013.01), H04B 17/00 (2015.01), publ. 03/14/2019 Bul. No. 8, which consists in the fact that the values of the selected parameters are compared with the reference signs of the initial alphabet of state classes and, based on the comparison results, the group of classes of the possible state in the conditions of conducting network attacks is determined, the parameters of the communication network, network attacks are monitored, taking into account the dynamics of changes in the selected controlled parameters forecasting the time of the onset of the critical (pre-failure) state of the communication network, measuring the parameters of network attacks on the same type of operating communication networks, saving the measured values in the data storage unit, entering the measured values into the data processing unit, forming a model of a distributed system for monitoring the technical state of the communication network, developing measures to counter network attacks, deploy and operate the communication network, during the operation of the communication network, monitor the parameters of network attacks, based on the available statistical data, predict the parameters ts of network attacks, as well as the parameters of the communication network in the conditions of conducting network attacks, based on the data received from the distributed monitoring system about the parameters of the network attack and the predicted values of the communication network, a set of measures to counter network attacks are carried out, after the end of the impact, the measured parameters of the network attack are compared and the values of the parameters obtained from independent third-party monitoring systems, after highlighting the parameters that are signs of the technical condition of the communication network, conducting network and streaming computer intelligence and network attacks, form models of a communication network node with a protection system that takes into account ways to counter network attacks, taking into account the different number of subscribers , which are provided with a different number of communication services, simulate network attacks on a communication network node, taking into account the protection system, the results are saved, while monitoring the parameters of network attacks, measure and determine changes in the parameters of a communication network node, after fixing network attacks, based on the available signs, identify the attacker, based on the available statistical data, calculate the parameters of network attacks, as well as the parameters of the communication network in the conditions of conducting network attacks, assess the capabilities of the enemy, after the end of the impact, compare the actual values of the protection system with the specified ones, if the specified ones are exceeded values make changes to the original data.

Technical problem: long decision-making time on countering the destructive impact on the communication network by Botnet, caused by the fact that the decision to take measures to counter the impact is made after the attack detection system is triggered.

EFFECT: reduced time for making a decision on counteracting destructive impact on the communication network from Botnet, due to identification of the beginning of destructive impact at the stage of Botnet preparation for impact.

The technical problem is solved by developing a method for early detection of the destructive effects of Botnet on a communication network, in which, by analyzing the information flow supplied to a previously infected personal computer, the type and purpose of Botnet impacts are determined, on the basis of which measures are taken to activate the means and methods of countermeasures in advance. destructive effects.

The technical problem is solved by the following sequence of actions in the method of early detection of destructive effects of Botnet on the communication network:

A monitoring network is formed, including network sensors (Attack detection system "Forpost" [Electronic resource] URL: http://www.rnt.ru/ru/production/detail.php?ID=19) installed in various segments of the Internet, as well as communication channels connected to the control server of the communication network protection system (https://infotecs.ru/product/vipnet-coordinator-hw-1000.html).

Implement the deployment and operation of the communication network.

During the operation of the communication network, they monitor the conduct of destructive impact (DI) in relation to the protected network (Attack detection system "Forpost" [Electronic resource] URL: http://www.rnt.ru/ru/production/detail.php? ID = nineteen).

Form a database on the parameters of the DV for the same type of communication nodes (Ch. 5.4 pp. 133-146, Ch. 7 pp. 168-233, Galitsina OL and others. Databases: Textbook. Forum-Infra-M Moscow 2006 . 352 s.).

During the monitoring of the DV, the values of the DV parameters per node are measured, such as: the time from receiving the command to the beginning of the impact; duration of exposure; the number of Bot participating in the Far East (Forpost attack detection system [Electronic resource] URL: http://www.rnt.ru/ru/production/detail.php?ID=19); measure the values of the weakening capabilities of the applied options and methods of countering DV (https://www.securitylab.ru/analytics/442099.php, RF patent No. 2636640 C2, Published on November 27, 2017 bull. No. 33), the obtained measurement values are stored in the database (Ch. 5.4 pp. 133-146, ch. 7 pp. 168-233, Galitsina OL and others. Databases: Textbook. Forum-Infra-M Moscow 2006. 352 p.).

After fixing the fact of destructive impact on the basis of the available signs, the attacker is identified (Abramov OV Monitoring and forecasting the technical state of critical systems. Informatics and control systems. Blagoveshchensk: Amur State University. Electronic journal 2011. No. 2 (28) P. 9) ...

Based on the available statistical data, the parameters of the DV are predicted (Grechishnikov E.V., Dobryshin M.M., Zakalkin P.V. Proposal for assessing the ability of a computer network node to function in conditions of information and technical impacts / Cybersecurity Issues No. 3 (17): JSC "NPO Echelon" - Moscow. –2018. - P.2-9.), As well as the parameters of the protected network operating in the Far East.

If the target of a destructive attack is a node of an unprotected network, using monitoring tools, they measure the capabilities of Botnet and supplement the database characterizing the parameters of the DV.

If the target of the destructive impact is the node of the protected network, then on the basis of the available data on the parameters of the Botnet DV, the possible damage from the impact is predicted.

On the basis of the predicted damage from DV, a list of options and methods for countering DV is determined (Grechishnikov E.V., Dobryshin M.M.An approach to modeling a computer network node as an object of heterogeneous computer attacks carried out simultaneously / Proceedings of the IV Interuniversity Scientific and Practical Conference "Problems of technical support of troops in modern conditions: Military Academy of Communications. - St. Petersburg. –2019. - pp. 19-23), as well as the procedure for their use (it is possible to implement on the Microsoft database - SQL Server).

Based on the analysis of the DV parameters, the fact of the end of the destructive effect of Botnet is recorded.

At the end of the impact, the calculated values of the parameters of damage from IR are compared and the actual values of the parameters of IR with those available in the database, if the specified values are exceeded, changes are made to the database. If the values of the Botnet DV parameters do not correspond to the specified values, then the parameter values are specified. If the values of the DW parameters correspond to the specified ones, then the effectiveness of the applied options and methods of counteraction is assessed. If the values of the damage parameters correspond to the existing values in the database, continue monitoring. If the values of damage do not correspond to the existing values in the database, then the values of the parameters are specified.

According to the invention, added, based on the analysis of information security incidents, the existing Botnets on the Internet are identified and classified.

Based on statistical data, malicious programs are determined (Security Scanner RedCheck [Electronic resource] URL: https://www.redcheck.ru/), with the help of which the attacker infects personal computers and commands sent by the Botnet control center to infected personal computers.

Determine the reasons for the infection of personal computers with Botnet malware, such as the most frequently visited sites, protection settings or their absence, the operating system used, the browser.

They rent several digital communication channels from a telecom operator for using Internet resources (https://tech.ru/services/kanaly-i-trafik/).

Configuring the personal computer so that it is likely to be infected with Botnet malware, including configuring or not installing defenses; install the required operating system, browser.

Install software capable of identifying the command from Botnet about the beginning of the impact, as well as identifying the IP address to which the infected computer will be exposed ("software module for statistical data analysis based on machine learning methods", certificate of state registration of computer programs No. 2019618572 Kozachok A. V., Spirin A.A .; Avast file decryption software [Electronic resource] URL: https://blog.avast.com/ru/4-besplatnyh-deshifratora-dlya-fajlov-zarazhennyh-programmoj-vymogatelem).

On the basis of statistical data, threshold values of parameters are determined and memorized, characterizing various destructive influences that are carried out by the given Botnet.

The monitoring network is supplemented by a PC, which is infected with Botnet malware and a PC, which is used to signal a possible destructive effect on the protected communication network.

They connect the configured PC to the Internet and visit network resources on which a high probability of infection with Botnet malware is recorded.

The installed software is used to determine if a PC is infected with Botnet malware (RedCheck Security Scanner [Electronic resource] URL: https://www.redcheck.ru/, Kaspersky Total Security software [Electronic resource] URL: https: //www.kaspersky .ru /).

If no infection is detected, the next site is selected from the list of sites with a high probability of infection with Botnet malware, until the infection occurs.

Using the installed software, the received messages and commands from Botnet are analyzed ("software module for statistical data analysis based on machine learning methods", certificate of state registration of computer programs No. 2019618572 A.V. Kozachok, A.A. Spirin; Decryption software files Avast [Electronic resource] URL: https://blog.avast.com/ru/4-besplatnyh-deshifratora-dlya-fajlov-zarazhennyh-programmoj-vymogatelem).

Receive and process the incoming information flow (Forpost attack detection system [Electronic resource] URL: http://www.rnt.ru/ru/production/detail.php?ID=19;"program module for statistical data analysis based on methods machine learning "certificate of state registration of computer programs No. 2019618572 Kozachok A.V., Spirin A.A .; Avast file decryption software [Electronic resource] URL: https://blog.avast.com/ru/4-besplatnyh -deshifratora-dlya-fajlov-zarazhennyh-programmoj-vymogatelem).

The received data is converted into a binary form by obtaining the corresponding value of the character position in the Unicode encoding table (Unicode encoding [Electronic resource] URL: https://home.unicode.org/).

A vector of statistical characteristics is formed by counting the number of subsequences occurring in the obtained data (Konyshev M.Yu. Formation of probability distributions of binary vectors of an error source of a Markov discrete communication channel with memory using the method of "grouping probabilities" of error vectors. / M.Yu. Konyshev, A Barabashov, K.E. Petrov, A.A. Dvilyanskiy // Industrial ACS and controllers. 2018. No. 3. P. 42-52; Kozachok A.V., Spirin A.A.On the statistical properties of compression algorithms and encryption // Collection of materials of the scientific and technical conference "Actual problems of information telecommunications in science and education", St. Petersburg, 2019), after which the vector of statistical characteristics of the obtained data is compared with the identification model. The comparison is performed by applying a machine learning algorithm - an algorithm for constructing a decision tree (Breiman L., Friedman J., Olshen R., Stone C. Classification and Regression Trees // Wadsworth, Belmont, CA. 1984. 368 p. ISBN: 9781351460491), performing the selection of features from the vector of statistical characteristics according to the criterion of maximum increase in information (Breiman L., Friedman J., Olshen R., Stone C. Classification and Regression Trees // Wadsworth, Belmont, CA. 1984. 368 p. ISBN: 9781351460491), determine the presence or absence of PSP (Konyshev M.Yu. Formation of probability distributions of binary vectors of the source of errors of a Markov discrete communication channel with memory using the method of "grouping probabilities" of error vectors. / M.Yu. Konyshev, A.Yu. Barabashov, K.E. Petrov, A.A. Dvilyansky // Industrial ACS and controllers. 2018. No. 3. P. 42-52; Kozachok A.V., Spirin A.A.On the statistical properties of compression and encryption algorithms // Collection of scientific technical conference ii "Actual problems of infotelecommunications in science and education", St. Petersburg, 2019), formed by cryptoalgorithms.

If there is no PSP generated by cryptoalgorithms in the analyzed data, then it redirects the analyzed data to the message cleaning center, where, after clearing (destroying) the data, the incoming information flow continues to be received and processed.

If the PSP generated by the cryptoalgorithms are detected, the analyzed data is redirected to the message decryption center.

The system operation time is estimated, if the condition is met, then the sequence operation ends.

Based on the analysis of the received messages, a decision is made on the receipt of a command from Botnet.

If a command from Botnet has not been received by the protected host, continue monitoring.

If a command from Botnet is received, then the received command is analyzed, the type of destructive impact and IP addresses are determined.

Based on the analysis of the IP address, a decision is made on whether the target of Botnet's destructive influence belongs to the protected network.

The results of the search for known solutions in this and related fields of technology in order to identify features that match the distinctive features of the prototypes of the features of the claimed invention, have shown that they do not follow explicitly from the prior art. The prior art determined by the applicant has not revealed the influence of the essential features of the claimed invention on the achievement of the specified technical result. Therefore, the claimed invention meets the "inventive step" requirement of patentability.

The "industrial applicability" of the method is due to the presence of an element base, on the basis of which devices that implement this method can be made to achieve the purpose specified in the invention.

The claimed method is illustrated by the following drawings, which show:

FIG. 1 is a sequence of functioning of a method for early detection of destructive effects of Botnet on a communication network.

FIG. 2 - sequence of functioning of the unit for monitoring received messages.

FIG. 3 - the results of evaluating the effectiveness of the claimed method.

The method of early detection of the destructive effects of Botnet on the communication network is explained by the structural and logical sequence of actions (Fig. 1), where in block 1, based on the analysis of information security incidents, the existing Botnets on the Internet are determined and classified (Kaspersky anti-botnet feeds, [Electronic resource] URL: https://www.kaspersky.ru/botnet-monitoring-and-data-feeds).

In block 2, malicious programs are determined based on statistical data (data streams from Kaspersky Botnet C&C Data Feeds and Kasrepsky Security Network, [Electronic resource] URL: https://www.kaspersky.ru/botnet-monitoring-and-data-feeds), by means of which the attacker infects personal computers (PCs) and commands issued by the Botnet control center to the infected PC.

In block 3, the reasons for the infection of a PC are determined (the most frequently visited sites; settings of protection tools or their absence; operating system, browser and other hacked sites, phishing attacks. [Electronic resource] URL: https://www.kaspersky.ru/ botnet-monitoring-and-data-feeds) by Botnet malware. Add a tag to the database that matches the malware for the specified Botnet.

In block 4, several digital communication channels are leased from a telecom operator (Provision of digital communication channels for rent [Electronic resource] URL: https://tech.ru/services/kanaly-i-trafik/), to use Internet resources.

In block 5, the PC is configured in such a way that there is a high likelihood of infection with Botnet malware (they configure protection tools or do not install them; install the required operating system, browser, etc.). Setting up a protection tool includes, in particular, information about the behavior of processes; operating system events; information about interconnection; the checksum of the object or the checksum of its part; the source of the object; the time the object appears within the computing device; data transmitted over the network by the object, and the detector saves the received security notification to the object database.

In block 6, on the basis of statistical data, threshold values of parameters are determined and stored that characterize various destructive actions that are carried out by the given Botnet (IP address or domain name of the botnet controlling center; characteristics of HTTP or IRC packets with certain control commands; dimension of network packets; time intervals of network communications; malicious activity traffic such as scanning, spamming, downloading binary files; DNS, SMTP protocol information; communication protocol used and transport layer ports).

In block 7, a network is created for monitoring the state of PCs infected with Botnet malware (Kaspersky Network Security, [Electronic resource] URL: https://www.kaspersky.ru/botnet-monitoring-and-data-feeds). The monitoring network is not physically connected to infected PCs. The monitoring network includes network sensors installed in various segments of the Internet, as well as communication channels connected to the control server of the communication network protection system.

In block 8, the configured PC is connected to the Internet and visited network resources on which a high probability of infection with Botnet malware is recorded.

Block 9 uses the intrusion detection tool to record the fact that a PC has been infected with Botnet malware. If the infection is not recorded in block 10, the next site is selected from the list of sites with a high probability of infection with Botnet malware, until infection occurs.

In block 11, the incoming information flow is analyzed for the presence of commands from the Botnet (Fig. 2). Where in block 11.1 the incoming information flow is received and processed (WireShark software, [Electronic resource] URL: https://www.wireshark.org).

In block 11.2, the received data is converted to a binary form by obtaining the corresponding value of the character position in the Unicode encoding table (as an example, it is possible to use the Unicode encoding https://home.unicode.org/) and translating this integer into a binary representation.

In block 11.3, a vector of statistical characteristics is formed by counting the number of subsequences of 9 bits in length that occur in the received data. To form the feature space, it is enough to consider half of all possible combinations of subsequences (Konyshev M.Yu. Formation of probability distributions of binary vectors of the error source of a Markov discrete communication channel with memory using the method of "grouping probabilities" of error vectors. / M.Yu. Konyshev, A.Yu. Barabashov, K.E. Petrov, A.A. Dvilyansky // Industrial ACS and controllers. 2018. No. 3. P. 42-52; Kozachok A.V., Spirin A.A.On the statistical properties of compression and encryption algorithms // Collection of materials of the scientific and technical conference "Actual problems of information telecommunications in science and education", St. Petersburg, 2019). The number of subsequences is calculated using the formula:

, (1)

, (1)

– частота i подпоследовательности длины n бит в анализируемых данных без учета полного перекрытия, N – длина анализируемых данных в битах.Where

Is the frequency of the i subsequence of length n bits in the analyzed data without taking into account the complete overlap, N is the length of the analyzed data in bits.

In block 11.4, the vector of statistical characteristics of the obtained data is compared with the identification model. The comparison is performed by applying a machine learning algorithm - an algorithm for constructing a decision tree that selects features from a vector of statistical characteristics according to the criterion of maximum information gain (Breiman L., Friedman J., Olshen R., Stone C. Classification and Regression Trees // Wadsworth, Belmont , CA 1984. 368 p. ISBN: 9781351460491).

Block 11.5 determines the presence or absence of the PSP generated by cryptoalgorithms (Kozachok A.V., Spirin A.A.On the statistical properties of compression and encryption algorithms // Proceedings of the scientific and technical conference "Actual problems of information telecommunications in science and education", St. Petersburg, 2019). If the PSP generated by the cryptoalgorithms in the analyzed data is not present, then it redirects the analyzed data or to the message cleaning center (Block 11.6), where, after clearing (destroying) the data, receiving and processing the incoming information flow continues (Block 11.1).

If the PSP generated by the cryptoalgorithm is detected, then the analyzed data is redirected to the message decryption center (Block 11.7).

In block 12, the system operation time is estimated (GOST R IEC 61069-4-2012. Measurement and control of an industrial process. Determination of system properties for the purpose of its assessment. Part 4. System performance assessment). If the condition is met, then the sequence ends.

If the condition is not met in block 13, based on the search for signs and analysis of received messages, a decision is made to receive a command from Botnet (Kaspersky Anti-Botnet Data Feed, [Electronic resource] URL: https://www.kaspersky.ru/botnet-monitoring- and-data-feeds). If the command is not received, continue monitoring in block 12.

If a command is received from Botnet, then in block 14 the received command is analyzed (Kaspersky Anti-Botnet Data Feed, [Electronic resource] URL: https://www.kaspersky.ru/botnet-monitoring-and-data-feeds), the type destructive impact, the time of the beginning of the impact, the sequence of its application (tactics, technology and procedures of the applied impact), the purpose of the impact (IP-address).

In block 15, a decision is made on the belonging of the Botnet destructive target to the protected network (comparing the IP addresses of the attack target with the IP addresses of the protected network).

If the target of a destructive attack is a node of an unprotected network, in block 16, using monitoring tools, they measure the capabilities of Botnet (Kaspersky Anti-Botnet Data Feed, [Electronic resource] URL: https://www.kaspersky.ru/botnet-monitoring-and- data-feeds) and supplement the database (block 17) characterizing the parameters of the Botnet DV, which includes the infected PC.

If the target of the destructive attack is a node of the protected network, in block 18, based on the available data on the parameters of the Botnet DV (block 17), they predict the possible damage from the DV (Kaspersky Statistics, [Electronic resource] URL: https://cybermap.kaspersky.com/ru / stats).

Based on the predicted damage from DV in block 19, a list of options and methods for countering DV is determined (Kaspersky Anti-Botnet Data Feed, [Electronic resource] URL: https://www.kaspersky.ru/botnet-monitoring-and-data-feeds ), as well as the order of their use.

In block 20, the necessary measures are taken to prepare the options and methods for countering DV Botnet (Kaspersky Anti-Botnet Data Feed, [Electronic resource] URL: https://www.kaspersky.ru/botnet-monitoring-and-data-feeds).

In block 21, the values of the LW parameters are changed for the node (the time from the receipt of the command to the beginning of the LW; the duration of the LW; the number of Bot; the power of the LW), the values of the weakening capabilities of the applied options and methods of countering the LW are measured.

In block 22, based on the analysis of the received packets, the end of the destructive effect of Botnet is determined (decrease in network activity, end of the activity of network protocols, etc.).

In block 23, the calculated values of the DV parameters of a given Botnet are compared. If the values of the Botnet DW parameters do not correspond to the specified values in block 17, the parameter values are specified.

If the values of the DW parameters correspond to the given ones, in block 24 the effectiveness of the applied options and methods of counteraction is evaluated (block 25).

If the efficiency values correspond to the existing values in the database, continue monitoring in block 11.

If the efficiency values do not correspond to the existing values in the database, the parameter values are specified in block 17.

The calculation of the effectiveness of the claimed method was carried out by comparing the decision time for the prototype method and the claimed method. Decision-making processes are graphically presented in figure 3. For ease of comparison of these two processes, let us assume that the "Time of team propagation in Botnet, about the beginning of the impact" and "The time of making a decision and activating protection means" for the prototype method and the proposed method are equal. Then, the decrease in the time for making a decision on counteracting the destructive impact on the communication network from Botnet can be considered the "Time of manifestation of signs of destructive impact."

Based on this, it follows that the claimed method, due to the development of a method for early detection of the destructive effects of Botnet on the communication network, in which, based on the analysis of the information flow received by the previously infected personal computer, the type and purpose of the Botnet actions are determined, taking into account which measures are taken by early activation of means and methods of counteracting destructive effects, ensures the achievement of the claimed technical result.

Claims (1)

A method for early detection of destructive effects of Botnet on a communication network, comprising: forming a monitoring network including network sensors installed in various segments of the Internet, as well as communication channels connected to a control server of a communication network protection system; carry out the deployment and operation of the communication network; during the operation of the communication network, they monitor the conduct of destructive impact (DI) in relation to the protected network; form a database on the parameters of the DV for the same type of communication nodes; during the monitoring of the RF, the values of the RF parameters per node are measured, such as the time from the receipt of the command to the beginning of the RF, the duration of the RF, the number of Bot participating in the RF, the values of the attenuating capabilities of the applied options and methods of countering the RF are measured, the obtained measurement values are stored in the database; after fixing the fact of destructive influence on the basis of the available signs, the attacker is identified; on the basis of the available statistical data, the parameters of the RF are predicted, as well as the parameters of the protected network operating in the conditions of the RF; if the purpose of the destructive impact is a node of an unprotected network, using monitoring tools, they measure the capabilities of Botnet and supplement the database characterizing the parameters of the RF; if the target of the destructive impact is the node of the protected network, then on the basis of the available data on the parameters of the Botnet DV, the possible damage from the impact is predicted; on the basis of the predicted damage from DV, determine the list of options and methods for countering DV, as well as the procedure for their use; based on the analysis of the DV parameters, the fact of the end of the destructive effect of Botnet is recorded; at the end of the impact, the calculated values of the parameters of damage from IR are compared and the actual values of the parameters of IR with those available in the database, if the specified values are exceeded, changes are made to the database; if the values of the Botnet DV parameters do not correspond to the specified values, then the parameter values are specified; if the values of the DW parameters correspond to the given ones, then the effectiveness of the applied options and methods of counteraction is assessed; if the values of the damage parameters correspond to the existing values in the database, continue monitoring; if the values of damage do not correspond to the existing values in the database, then the values of the parameters are specified, characterized in that, based on the analysis of information security incidents, the existing Botnets on the Internet are determined and classified; on the basis of statistical data, malicious programs are determined by which an attacker infects personal computers and commands issued by the Botnet control center to infected personal computers; determine the reasons for the infection of personal computers with Botnet malware, such as the most frequently visited sites, protection settings or their absence, the operating system used, the browser; lease several digital communication channels from a telecom operator to use Internet resources; configure a personal computer in such a way that there is a high likelihood of being infected with Botnet malware, including setting up protection tools or not installing them; install the required operating system, browser; install software capable of identifying a command from Botnet about the beginning of the impact, as well as identifying the IP address that the infected computer will be exposed to; on the basis of statistical data, the threshold values of the parameters are determined and memorized, characterizing the various destructive effects that are carried out by the given Botnet; the monitoring network is supplemented with a personal computer, which is infected with Botnet malware and a PC, with the help of which signaling about a possible destructive effect on the protected communication network is carried out; connect the configured PC to the Internet and visit network resources on which a high probability of infection with Botnet malware is recorded; using the installed software, determine the infection of a personal computer with malicious malicious software Botnet; if no infection is detected, select the next site from the list of sites with a high probability of infection with Botnet malware, until infection occurs; using the installed software, they analyze incoming messages and commands from Botnet; receive and process the incoming information flow; converting the received data into a binary form by obtaining the corresponding value of the character position in the Unicode encoding table; a vector of statistical characteristics is formed by counting the number of subsequences occurring in the received data, after which the vector of statistical characteristics of the obtained data is compared with the identification model; the comparison is performed by applying a machine learning algorithm - an algorithm for constructing a decision tree that selects features from a vector of statistical characteristics according to the criterion of the maximum increase in information determine the presence or absence of pseudo-random sequences formed by cryptoalgorithms; if there is no pseudo-random sequences generated by cryptoalgorithms in the analyzed data, then redirects the analyzed data or to the message clearing center, where, after clearing (destroying) the data, receiving and processing the incoming information flow continues; if a pseudo-random sequence generated by a cryptoalgorithm is detected, then the analyzed data is redirected to the message decryption center; the time of the system operation is estimated, if the condition is met, then the operation of the sequence is terminated; based on the analysis of the received messages, a decision is made on the receipt of a command from Botnet; if the commands from Botnet are not received by the protected host, continue monitoring; if a command from Botnet is received, then the received command is analyzed, the type of destructive impact and IP addresses are determined; based on the analysis of the IP address, a decision is made about the belonging of the Botnet destructive target to the protected network.

Images